refactor(coder-templates/firewalled): direct-install Claude Code + boundary wrapper#53
Open
ausbru87 wants to merge 2 commits into
Open
refactor(coder-templates/firewalled): direct-install Claude Code + boundary wrapper#53ausbru87 wants to merge 2 commits into
ausbru87 wants to merge 2 commits into
Conversation
…undary wrapper Replace the claude-code registry module (4.7.3) and its AgentAPI / Coder Tasks wiring with a direct install in the agent startup_script, adapted from the Red Hat Summit 2026 demo template. - Remove module "claude_code", coder_ai_task, data "coder_task", the ai_prompt parameter, the effective_prompt local, and the provider >= 2.13.0 constraint that only coder_task needed. - Install Claude Code natively into ~/.local/bin and the standalone boundary binary via their install.sh scripts. - Pre-seed ~/.claude/settings.json and ~/.claude.json (new claude_settings and claude_config locals) so onboarding/trust dialogs are skipped and the AI Gateway endpoint is configured. - Wrap claude with boundary at ~/.local/bin/boundary-wrappers/claude (boundary --config <cfg> --jail-type landjail -- <real claude> --dangerously-skip-permissions "$@") and prepend the wrappers dir to PATH in the shell rc files, so claude runs jailed by default and the --dangerously-skip-permissions flag removes Claude's interactive prompts. - Stage operator firewall smoke-test scripts under ~/demo/. - AI Gateway auth via coder_env CLAUDE_API_KEY + ANTHROPIC_AUTH_TOKEN (session token) and agent env ANTHROPIC_BASE_URL/ANTHROPIC_API_BASE. Codex/OpenAI is intentionally omitted: this is a Claude-only firewall demo. boundary.config.yaml.tftpl allowlist is unchanged. terraform validate and fmt pass. README rewritten to match. Generated by Coder Agents.
… Gateway auth Claude Code warned "Auth conflict: Both a token (ANTHROPIC_AUTH_TOKEN) and an API key (/login managed key) are set" because the template provided two credentials at once: the ANTHROPIC_AUTH_TOKEN env var (bearer token) plus a ~/.claude.json primaryApiKey and a CLAUDE_API_KEY env var (API key). Keep ANTHROPIC_AUTH_TOKEN (the documented AI Gateway client contract in deploy/CONVENTIONS.md) as the single credential. Remove the coder_env.claude_api_key resource and the claude_config.primaryApiKey so Claude Code sees exactly one auth source and starts without the warning. ~/.claude.json still carries the onboarding and project-trust flags. Generated by Coder Agents.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Rewrites the
firewalledtemplate to install Claude Code and the Coder Boundary agent firewall directly in the agentstartup_script, replacing theclaude-coderegistry module (4.7.3) and its AgentAPI / Coder Tasks wiring. Method adapted from the Red Hat Summit 2026 demo template.What changed
module "claude_code",resource "coder_ai_task",data "coder_task", theai_promptparameter, theeffective_promptlocal, and the provider>= 2.13.0constraint that onlycoder_taskneeded.startup_script):~/.local/bin(claude.ai/install.sh).boundarybinary install (coder/boundary/main/install.sh).~/.claude/settings.json+~/.claude.json(claude_settings/claude_configlocals) to skip onboarding/trust dialogs and set the AI Gateway endpoint.~/.local/bin/boundary-wrappers/claudethat runsboundary --config <cfg> --jail-type landjail -- <real claude> --dangerously-skip-permissions "$@", with the wrappers dir prepended to PATH in the shell rc files soclaudeis jailed by default.--dangerously-skip-permissionsremoves Claude's interactive prompts (boundary is the security boundary).~/demo/.coder_envCLAUDE_API_KEY+ANTHROPIC_AUTH_TOKEN(session token); agent envANTHROPIC_BASE_URL/ANTHROPIC_API_BASE.boundary.config.yaml.tftplallowlist is unchanged.README.mdrewritten to match.Validation
terraform fmtandterraform validatepass.coder templates push firewalled); the plan preview shows onlycoder_envx4, the PVC, and the pod (no module / task resources). Runningfw-egress-*workspaces are untouched (they stay on the prior version).Why direct-install instead of the module
The claude-code 4.7.3 module bundles AgentAPI and the Coder Tasks chat UI, which surfaced Claude's interactive "Bypass Permissions mode" select-menu that could not be reliably suppressed. The boundary wrapper's
--dangerously-skip-permissionsremoves that prompt entirely, so the firewall demo runs hands-off from a normal terminal / code-server session. The standalone boundary binary also avoids thecoder boundarysubcommand's login/license dependency (the agent only carries an agent token).Generated by Coder Agents, on behalf of @ausbru87.